Our response to the Axios developer tool compromise

Summary

OpenAI has addressed a supply chain attack originating from the Axios developer tool. The response involved rotating macOS code signing certificates and deploying application updates to mitigate the impact of the compromise.

Key Points

• Rotation of macOS code signing certificates to invalidate compromised credentials.
• Deployment of application updates to remediate the impact of the attack.
• Confirmation that no user data was compromised during the incident.
• Identification of the Axios developer tool as the vector for the supply chain attack.

Technical Details

The remediation process focused on the invalidation of macOS code signing certificates that may have been compromised. By rotating these certificates, OpenAI ensured that any malicious binaries signed with the previous, compromised keys would no longer be trusted by the macOS operating system. This effort required a coordinated update of OpenAI-distributed macOS applications to ensure that all running instances were utilizing binaries signed with the new, verified certificates.

Impact / Why It Matters

Users of OpenAI's macOS applications should ensure they are running the latest version to maintain software integrity. This incident highlights the critical security risks posed by vulnerabilities within third-party developer tool supply chains.